1. Field
The present inventive concept pertains to a system and method to managing sinkholes. The present inventive concept more particularly concerns a system and method to manage sinkholes via various distribution techniques.
2. Discussion of Related Art
Malware authors or attackers of computer systems often use malware that is installed on victims systems. The malware relies on communication to a command and control (C2) server controlled by the attached. In some instances, the attacker loses control of the C2 server and must rely on the public domain name system (DNS) to direct the malware towards a different C2 server IP address.
Sinkholing is the process of gaining control of one or more of the C2 DNS names by a friendly party, and configuring the DNS name to resolve to a friendly sinkhole IP address. The change in DNS name resolution to the friendly IP address causes the malware to initiate connections to a sinkhole sensor which has full global visibility of networks which have been compromised. In this manner, a DNS sinkhole can be used to provide detection and prevention of malicious and unwanted activity occurring between an organization's computer and the Internet. Further information regarding such may be obtained via a paper titled DNS Sinkhole by G. Bruneau dated Aug. 7, 2010, which is incorporated by reference in its entirety.
The major challenge in creating a sinkhole is attribution of the sinkhole presence on the Internet to the malware network operators. If the attacker is able to identify a presence of a particular sinkhole space, they are able to trivially block access to the sinkhole network in new malware or through subsequent updates to an existing malware install base, which prevents deflection of the attacker's C2 communications to a sinkhole network. Current malware sinkholes often operate on a single IP or contiguous range of IP addresses. For example, this has been observed when running a sinkhole in a Class C network (/24). Attackers were found to be blacklisting C2 communications to the entire range. By inserting these blacklists, the attackers effectively cut off the ability to successfully sinkhole the malware, that is, no traffic would be received on the sensors after deflection, which presents a challenge.
Another challenge is mitigating the effects of distributed denial of service attacks. When malware is deflected from the attacker to a sinkhole, they have been known to launch attacks against the sinkhole itself. The attacker often has access to other networks of compromised systems that they use to launch distributed denial of service attacks.
For example, a large DDoS attack was launched against a sinkhole environment with a single connection to the Internet. The provider was forced to null route the entire Class C network upstream. The attack volume was large enough to bring the provider network offline until the null route was in place.